| dc.contributor.author | Kuepper, Joel | |
| dc.contributor.author | Erbsen, Andres | |
| dc.contributor.author | Gross, Jason | |
| dc.contributor.author | Conoly, Owen | |
| dc.contributor.author | Sun, Chuyue | |
| dc.contributor.author | Tian, Samuel | |
| dc.contributor.author | Wu, David | |
| dc.contributor.author | Chlipala, Adam | |
| dc.contributor.author | Chuengsatiansup, Chitchanok | |
| dc.contributor.author | Genkin, Daniel | |
| dc.contributor.author | Wagner, Markus | |
| dc.contributor.author | Yarom, Yuval | |
| dc.date.accessioned | 2023-07-05T20:02:53Z | |
| dc.date.available | 2023-07-05T20:02:53Z | |
| dc.date.issued | 2023-06-06 | |
| dc.identifier.issn | 2475-1421 | |
| dc.identifier.uri | https://hdl.handle.net/1721.1/150988 | |
| dc.description.abstract | Most software domains rely on compilers to translate high-level code to multiple different machine languages,
with performance not too much worse than what developers would have the patience to write directly
in assembly language. However, cryptography has been an exception, where many performance-critical
routines have been written directly in assembly (sometimes through metaprogramming layers). Some past
work has shown how to do formal verification of that assembly, and other work has shown how to generate
C code automatically along with formal proof, but with consequent performance penalties vs. the best-
known assembly. We present CryptOpt, the first compilation pipeline that specializes high-level cryptographic
functional programs into assembly code significantly faster than what GCC or Clang produce, with mechanized
proof (in Coq) whose final theorem statement mentions little beyond the input functional program and the
operational semantics of x86-64 assembly. On the optimization side, we apply randomized search through the
space of assembly programs, with repeated automatic benchmarking on target CPUs. On the formal-verification
side, we connect to the Fiat Cryptography framework (which translates functional programs into C-like IR
code) and extend it with a new formally verified program-equivalence checker, incorporating a modest subset
of known features of SMT solvers and symbolic-execution engines. The overall prototype is quite practical,
e.g. producing new fastest-known implementations of finite-field arithmetic for both Curve25519 (part of the
TLS standard) and the Bitcoin elliptic curve secp256k1 for the Intel 12��ℎ and 13��ℎ generations. | en_US |
| dc.publisher | ACM | en_US |
| dc.relation.isversionof | https://doi.org/10.1145/3591272 | en_US |
| dc.rights | Creative Commons Attribution | en_US |
| dc.rights.uri | https://creativecommons.org/licenses/by/4.0/ | en_US |
| dc.source | Association for Computing Machinery | en_US |
| dc.title | CryptOpt: Verified Compilation with Randomized Program Search for Cryptographic Primitives | en_US |
| dc.type | Article | en_US |
| dc.identifier.citation | Kuepper, Joel, Erbsen, Andres, Gross, Jason, Conoly, Owen, Sun, Chuyue et al. 2023. "CryptOpt: Verified Compilation with Randomized Program Search for Cryptographic Primitives." Proceedings of the ACM on Programming Languages, 7 (PLDI). | |
| dc.contributor.department | Massachusetts Institute of Technology. Computer Science and Artificial Intelligence Laboratory | |
| dc.relation.journal | Proceedings of the ACM on Programming Languages | en_US |
| dc.identifier.mitlicense | PUBLISHER_CC | |
| dc.eprint.version | Final published version | en_US |
| dc.type.uri | http://purl.org/eprint/type/JournalArticle | en_US |
| eprint.status | http://purl.org/eprint/status/PeerReviewed | en_US |
| dc.date.updated | 2023-07-01T07:55:39Z | |
| dc.language.rfc3066 | en | |
| dc.rights.holder | The author(s) | |
| dspace.date.submission | 2023-07-01T07:55:39Z | |
| mit.journal.volume | 7 | en_US |
| mit.journal.issue | PLDI | en_US |
| mit.license | PUBLISHER_CC | |
| mit.metadata.status | Authority Work and Publication Information Needed | en_US |
